Querying Azure Log Analytics with PowerShell

Update Feb 2021: See the update at the bottom of the page for the new version of this code

I have used the Azure portal to query log analytics in the past, usually typing in a query then pressing "run". I may have even used the export option to save a csv of the results. Typically, the portal restricts you to 10k worth of records in a single query bu suddenly I had the need to extract more data and on a rolling basis. Clearly, the portal wasn't going to cut it for me.

I was about to start writing some code to hit the web api when I thought, 'I wonder if PowerShell could help here?' Of course the answer was yes, there's a cmdlet for that. All you need is an authenticated session, the workspace id which you get from the analytics blade in the portal, and away you go.

Query-LogAnalytics.ps1


# Make sure you are authenticated with 
# Connect-AzureRmAccount


[string]$WorkspaceID = 'guid from analytics blade in portal.azure.com'

$Query = @'

search "Hello World"
| order by TimeGenerated desc
| project RenderedDescription 

'@

$Results = Invoke-AzureRmOperationalInsightsQuery -WorkspaceId $WorkspaceID -Query $Query

$Results.Results | Export-Csv -Path "HelloWorldInTheLogs.csv"

Anything that works in the interactive query runner will work in code. Aside from this one off use, I can see this being useful for pre- and post-deployment monitoring to check for errors when services start up.

Update Feb 2021

The AzureRm module is now obsolete and has been replaced with the new Az module. The code above works in pretty much the same way but with some renaming of the cmdlets.

AzQuery-LogAnalytics.ps1


# Make sure you are authenticated with 
# Connect-AzAccount


[string]$WorkspaceID = 'guid from analytics blade in portal.azure.com'

$Query = @'

search "Hello World"
| order by TimeGenerated desc
| project RenderedDescription 

'@

$Results = Invoke-AzOperationalInsightsQuery -WorkspaceId $WorkspaceID -Query $Query

$Results.Results | Export-Csv -Path "HelloWorldInTheLogs.csv"